One expert says the interoperability of medical devices, especially of IoT medical devices, creates soft spots in an organization’s security framework.
Medical device manufacturers have focused on the interoperability of their products as a key design element because their clients, hospitals, and other healthcare organizations, have demanded it, according to Maryanne Woo, partner at international law firm Reed Smith.
“U.S. hospitals on average have between 10 and 15 connected devices per bed,” Woo says. “All those devices are made by different manufacturers, and all must effectively communicate with each other in order to deliver patient care.”
The implementation of the Internet of Things (IoT) into medical devices has expanded the range of interconnectedness beyond the hospital bed. In its simplest form, IoT technology are sensors embedded into devices, the sensors collect data and stream that data to a server, the server amalgamates the data into “Big Data,” which is then used to make more informed decision making. The ability for IoT devices to stream the data wirelessly extends the range of connectivity.
There is anecdotal evidence of the benefits of the increased data afforded by the use of IoT devices by hospitals, says Woo. “As to the in-hospital experience, an Orlando, Florida, area hospital system tags patients with a real-time location system (RTLS) when scheduled for surgery. Family members can then track the patient’s progress from pre-operation, to surgery, to the recovery unit through screens displaying anonymized ID codes in the waiting room.”
Hospital administrators have also used IoT to analyze work flow and better manage doctor and nurse staffing, according to Woo. “For example, IoT allowed administrators at Saint Mary’s Hospital in Waterbury, Connecticut, to determine the efficient scheduling of nursing staff to reduce unnecessary overtime,” she says. “Gathering and analyzing workforce data allowed Saint Mary’s Hospital to ensure the appropriate level of staffing for each time period, saving $650,000 in unnecessary overtime while simultaneously improving patient care.”
However, Woo says, the interoperability of medical devices, especially of IoT medical devices, creates soft spots in an organization’s security framework that are readily exploitable by hackers.
“These devices do not have firewalls or the capability of detecting malware,” Woo says. “In addition, many of these devices physically travel throughout the hospital or healthcare organization connecting to various network points along the way. Malware embedded into a single IoT device can be readily spread throughout a network debilitating the entire system.”
Woo cites the WannaCry ransomware attack in May 2017, which she says demonstrated how all these issues play out in the real world. “Forty-eight hospitals in the United Kingdom were affected. Vital equipment such as MRI scanners and X-ray machines had to be taken offline. Numerous medical procedures and appointments were canceled and vital medical records could not be accessed,” she says.
The WannaCry ransomware took advantage of computers running Windows XP-an operating system no longer supported by Microsoft. “Only 5% the U.K.’s National Health System computers still used the operating system,” Woo explains. “But because of the interconnectedness of the hospital’s networks, the malware spread quickly throughout the system.”
In addition to the potential for direct patient harm, healthcare interoperable devices also lead to greater risks of patient data privacy breaches, according to Woo.
“The innovation of IoT medical devices allows for more and more remote delivery of patient care. By design, these IoT medical devices constantly collect and stream data wirelessly, oftentimes monitoring the patient at home during his or her normal routine,” she says. “This data can be easily accessed by the patient and the healthcare provider on multiple devices, from laptops to cell phones. This ease of accessibility is an advantage, but also creates vulnerabilities in keeping the data private. Failure to protect patient data could result in violations of privacy, identity theft, financial theft, and HIPAA violations.”